The Tatami ProjectLINKS for a Hidden World -- using Kumo and BOBJ("LINKS" could be an acronym for something like "Library Information
Network Knowledge System".)

The Tatami system supports distributed cooperative design,
specification and validation of (software and/or hardware) systems,
especially distributed concurrent systems. The Tatami system integrates
formal with informal methods, has an online tutorial capability, runs over
the web, and is intended to be useful to ordinary software engineers. The
underlying formal logic is first order logic with atoms from hidden (order sorted) algebra. User
interface design has been guided by algebraic semiotics and narratology, which are
respectively the theories of signs and of stories.

Note: "Tatami" are natural fiber mats used in
traditional Japanese buildings. The size of a room is measured by the number
of tatami on its floor, where each tatami is a rectangle about 5 by 3 feet.
Thus a 2 tatami room, like a 2 tatami proof, is pretty small, an 8 tatami room
(or proof) is ok, but a 12 tatami room (or proof) is getting large, and should
probably be subdivided. Tatami are cool, refreshing and aromatic; we hope you
will find this metaphor helpful when creating and browsing proofs.

The figure above suggests how the Tatami system works; some components
are clickable for further detail. The main components are the Kumo proof assistant and website generator ("kumo" is a
Japanese word for spider), the tatami protocol,
the barista generic proof server, the tatami database,
the BOBJ behavioral specification language, and one or
more proof engines, each with a server (the current implementation uses a
slightly old version of BOBJ). Kumo assists multiple distributed users with
design and validation, and automatically generates websites to document their
work. Kumo reads commands written in the Duck
language, reads specifications in the BOBJ language,
checks proofs using proof engines, and then generates "proofweb" data
structures in XML, which are then translated into HTML for proof
documentation, based on the tatami conventions.
Information is broadcast to other sites using the tatami protocol, and all local tatami databases
(including truth values) are updated locally. Any standard web browser can
be used to view the websites generated by Kumo, and to execute the proof
scores on remote proof engines via barista servers.

We do not aspire to mechanize proofs like those of which mathematicians are
justly so proud, but rather to provide support that is useful to practicing
engineers for design, specification and validation. We also do not aspire to
build powerful theorem provers to compete with existing provers like HOL,
Nqthm, PVS and Otter; instead, we intend to re-use them.

A number of websites generated by Kumo have been organized to form a
tutorial on our approach and some of its underlying technologies, including
website generation, website design principles, proof by reduction, first order
proof planning, hidden algebra (especially coinduction), interactive browsing,
executing proof scores on remote proof servers, interactive Java applets
illustrating key concepts of specifications and verifications, web-based
tutorials on first order logic and hidden algebra, and explanation web pages
for specs and major proof steps. (Of course, many proofs do not admit a
picture or applet to illustrate the main ideas, or even of the result.) These
websites were all generated completely automatically by Kumo, of course using
files supplied by the user for specifications, explanations and goals. The
use of Kumo guarantees that these proofs are completely formally correct. The
Kumo demos homepage gives further information about
Kumo and these examples:

An inductive proof that 1+...+ n = n(n+1) /
2. This will give you a chance to explore Kumo's navigation and
display conventions on a simple example.

Two proofwebs for some familiar inductive properties of lists. The first
was generated by a duck score written at the beginning of this effort; it is
striking that the lemmas needed to complete the proof can be deduced from the
way that successive proof attempts fail. The second proofweb succeeds, and
was generated by a duck score derived from the first just by reordering its
goals so that the lemmas that were found necessary are proved first.

This early attempt at proving that the
reverse of the reverse of a list is the original list, takes a direct
approach, and its explanations emphasize the way that the two lemmas that are
needed to complete the proof can be deduced from the output produced by
unsuccessful proof attempts; one of these lemmas is the associativity of
append.

Here are the complete proofs for all three
inductive properties of lists, including the two lemmas that are needed to
establish the main goal.

A simple inductive proof of a formula for the sum of the squares of the first n natural numbers. This example is deliberately very
spare, and in particular has no explanations, in order to illustrate the
default conventions that Kumo uses when a user supplies only the absolute
minimum input.

A detailed proof that the square root
of 2 is irrational, illustrating the first order capabilities of Kumo.
Note that this uses and proves many auxiliary lemmas; see the directory listing. Note that no explanations have as
yet been provided for this proof or its parts.

The first example proves a simple formula about natural numbers,
illustrating the use of simple first order logic and induction. The second
example proves a simple property of a very simple software object, a flag, and
illustrates some basic concepts of hidden algebra, including behavioral
properties and coinduction. The third example proves the correctness of
implementing a stack with a pointer and an array; this is more complex than
the previous example, and uses more sophisticated coinduction techniques for
refinement. The first and fourth examples use induction, but the fourth is
considerably more complex, since it involves several inductive lemmas. The
fifth example has a different flavor, because it uses operations with multiple
hidden arguments. The seventh is a proof by contradiction, making heavy use
of first order logic; it is quite different from other examples, and
demonstrates the power of Kumo as a proof assistant.

For those who are interested in earlier stages of our research, we built a
number of demo websites by hand, in order to explore the underlying principles
and technologies. See the handmade demos homepage,
which contains the following:

One noticable difference from the new Kumo generated proofs is that they
lack a status window popup; however, this will eventually be added; the new
Kumo websites also have better format and other features. The fourth example
is a compiler correctness proof that uses both induction and coinduction, with
complex specifications and many lemmas; this industrial scale example also
illustrates how proofs that are partly informal can be supported.

An intermediate stage between the examples produced by the current Kumo
system and the hand made examples, is represented by the examples in the old Kumo demos homepage:

A coinductive correctness proof for the tatami
protocol, which maintains the consistency of distributed cooperative
proofs that are built using the Tatami system.

We believe that the newer Kumo user interface is better, and in addition,
we have taken advantage of improved logical capabilites in Kumo in the proofs
in the new Kumo demos homepage.
Organization

This project is supported by the National Science Foundation, and was
previously supported by the CafeOBJ Project at JAIST (Japan Advanced Institute of Science
and Technology), organized by Prof. Kokichi Futatsugi of JAIST.
See also the UCSD CafeOBJ
homepage and the IPA (Japan) homepage.
Other participants in the CafeOBJ project included: Mitsubishi Research
Institute, NEC, SRA and Unisys in Japan; SRI International in Menlo Park,
California; the Technical University of Munich in Germany; and the University
of Paris at Orsay.

Grigore Rosu, PhD in 2001
from UCSD; now at NASA, Ames Research Center, Mountain View CA. Working on
the theory of hidden algebra and algorithms for implementing it, theory of
institutions, modal logic, etc.

Razvan Diaconescu, at JAIST and
Romanian Acad. of Sciences, Bucharest; collaborator on hidden algebra and
short term visitor.

Eric Livingston, Visiting Scholar (from University of New England,
Armidale, Australia), from 1 Feb to 30 June 97. Sociologist; ethnomethodology
of mathematics (and other things, including checkers and chemistry).

Web-based Support for
Cooperative Software Engineering, by Joseph Goguen and Kai Lin,
in Volume 12, 2001, of the Annals of Software Engineering, a special
issue on multimedia software engineering, edited by Jeffrey Tsai. This is an
overview of the Tatami project and version 4 of the Kumo website generator
and proof assistant, focusing on its design decisions, its use of multimedia
web capabilities, and its integration of formal and informal methods for
software development in a distributed cooperative environment. The paper is
a revised and expanded version of the paper Web-based Multimedia Support for
Distributed Cooperative Software Engineering, by Joseph Goguen and Kai Lin,
which appeared in Proceedings, International Symposium on Multimedia
Software Engineering, edited by Jeffrey Tsai and Po-Jen Chuang, IEEE
Press, pages 25-32; the meeting was held in Taipai, Taiwan, December 2000.

Circular Coinduction,
by Grigore Rosu and Joseph Goguen, in Proceedings, International Joint
Conference on Automated Deduction, Sienna, June 2001. This paper
provides the full proof of correctness of circular coinduction, and draws
some consequences including congruence criteria.

Hidden Congruent
Deduction, by Grigore
Rosu and Joseph Goguen, in Automated Deduction in Classical and
Non-Classical Logics, edited by Ricardo Caferra and Gernot Salzer,
Lecture Notes in Artificial Intelligence, Volume 1761, pages 252-267, 2000.
Preliminary version in Proceedings, First-Order Theorem Proving -
FTP'98, edited by Ricardo Caferra and Gernot Salzer, Technische
Universitat Wien, pages 213-223, 1998 (proceedings of a workshop held at
Schloss Wilhelminenberg, Vienna, November 23-25, 1998). The complete proceedings are available on the
web, and by ftp. This paper
extended all the main notions and results of hidden algebra to operations
that may have more than one hidden argument, introduced the notion of
cobasis, gave criteria for operations to be congruent, and introduced more
powerful rules of deduction.

A Hidden Agenda, by Joseph Goguen and Grant Malcolm, Theoretical Computer
Science, vol 245, no 1, pages 55-101, August 2000, special issue on
Algebraic Engineering, edited by Chrystopher Nehaniv and Masami Ito. This is
an early basic paper on hidden algebra, treating coinduction, nondeterminism,
concurrency and more. An earlier version is UCSD Technical Report CS97-538, April 1997,
and an obsolete abstract is in Proceedings of Workshop on New
Mathematics for Computer Science, in Conference on Intelligent Systems: A
Semiotic Perspective (National Institute of Standards and Technology,
Gaithersberg MD, 20-23 Oct 1996) pages 159-167.

Hidden Algebraic
Engineering, by Joseph Goguen, in Algebraic Engineering,
edited by Chrystopher Nehaniv and Masami Ito, World Scientific, 1999, pages
17-36; also UCSD Technical Report CS97-569, December 1997, and preliminary
version in Proceedings, Conference on Semigroups and Algebraic
Engineering, edited by Chrystopher Nehaniv (Aizu-Wakamatsu, Japan, 24-26 Mar
1997). This is a gentle introduction to the original version of hidden
algebra, with some examples and much motivation.

A Protocol for Distributed
Cooperative Work, by Joseph Goguen
and Grigore Rosu, in
Proceedings, Workshop on Distributed Systems, Iasi, Romania, September
1999, and in Elsevier Electronic Notes in Computer Science, 28, 1999,
pages 1-22. Uses hidden algebra to prove correctness of a novel internet
broadcast protocol which supports synchronous distributed cooperative
proving; also contains a brief summary of the main definitions and results of
hidden algebra of that time.

An Introduction to Algebraic
Semiotics, with Applications to User Interface Design, by Joseph
Goguen, in Computation for Metaphor, Analogy and Agents, edited by
Chrystopher Nehaniv, Springer Lecture Notes in Artificial Intelligence, volume
1562, 1999, pages 242-291. This is the basic paper on algebraic semiotics,
with 3/2-categories, 3/2-colimits, and many examples, especially from user
interface design; completed 28 December 1998. A preliminary version appeared
in Proceedings, Conf. on Computation for Metaphor, Analogy and Agents
(Aizu-Wakamatsu, Japan, 6-10 April 1998) pages 54-79, an earlier version of
which is Semiotic Morphisms, Technical Report CS97-553, August 1997.
A now obsolete extended abstract appeared in Proceedings, Conference on
Intelligent Systems: A Semiotic Perspective, Volume II (National Institute of
Standards and Technology, Gaithersberg MD, 20-23 Oct 1996) pages 26-31.

Hidden Algebra for Software
Engineering, in Combinatorics, Computation and Logic,
Proceedings, Conference on Discrete Mathematics and Theoretical Computer
Science, (University of Auckland, New Zealand, 18-21 January 1999), edited by
Cristian Calude and Michael
Dinneen; Australian Computer Science Communications, Volume 21, Number
3, Springer, pages 35-59, 1999 (keynote address). A gentle introduction to
hidden algebra, with simple examples, much motivation, and some history.
Completed 8 November 1998.

Signs and Representations:
Semiotics for User Interface Design, by Grant Malcolm and Joseph Goguen, in
Visual Representations and Interpretations, edited by Ray Paton and
Irene Nielson, Springer Wrokshops in Computing, 1998 (proceedings of a
workshop held in Liverpool), pages 163-172. An informal introduction to
algebraic semiotics with examples, including aspects of operating systems
interfaces. Completed 30 October 1998.

Two chapters from Theorem proving and Algebra, by Joseph Goguen,
to be published by MIT Press: Chapter 1, Introduction and Chapter 8, First Order Logic, plus the
References and the Table of Contents. Chapter 8 is an elegant
algebraic exposition of first order logic, proof planning and induction; the
approach to induction is unusually general.

Visit the "world-famous" UC San Diego
Semiotic Zoo for an astonishing collection of exotic semiotic
morphisms, each an example of bad design arising through failure to preserve
some relevant structure. (Notes: (1) The zoo is still under
construction, and currently lacks explanations for some exhibits; (2)
the zoo won a "Creativity Award" from Art & Technology.)

OBJ3
version 2.06 is a new OBJ release, a cleaned-up version of OBJ3 2.04
(originally from 1992), engineered by Joseph Kiniry and Sula Ma, and built and
supported by Joseph Kiniry;
it runs under GCL 2.2.2, and has modern open source documentation.
More links

The Behavior Homepage lists all members
of the Behavior Discussion List,
with links to their homepages whenever we could find them; this list is
intended to facilitate discussion and progress on behavioral aspects of
computer science and mathematics, including but not limited to, versions of
hidden algebra and behavioral equational logic, observational logic, and
coalgebra, as well as systems that support them, such as CafeOBJ and the Tatami
system with its Kumo theorem prover. Email Grigore Rosu to sign on to the list, or change
your email address.

CSE 271 is the basic graduate course on User Interface Design; this website
contains some information in algebraic semiotics, and a lot of background
information that is needed to appreciate why such an approach is useful.

Website of Razvan Diaconescu at
Institute of Mathematics of the Romanian Academy; neat stuff on the constraint
paradigm, behavioral rewriting logic, and more.

The Maude homepage of the
Computer Science Lab at SRI. Maude incorporates most features of OBJ3,
sometimes with small syntactic changes, and adds an implementation of rewriting logic, using a powerful new
rewriting engine, and the membership equational logic generalization of order
sorted equational logic.

Declarative group website on algebraic
semantics at Oxford, including links to Grant Malcolm, Corina Cirstea,
James Worrell, Simone Veglioni, Sula Ma, and Andrew Stevens. Note:Grant Malcolm is now at the
University of Liverpool.